x

Loading data...

x

Loading data...

MUMBAI: Information technology services companies, including Indian outsourcers, are increasingly coming under attack from global cyber-crime rings seeking access to valuable data of clients, typically those belonging to the financial services industry. This was highlighted by the recent $45-million (Rs 247 crore) ATM heist involving two Gulf-based banks, where the first security breach happened at Pune-based payments processor ElectraCard Services.

For the first time, the Indian IT services industry, which earns a significant portion of its revenues from banks and financial services clients, was the top targeted sector in India in 2012, according to security software maker Symantec, which published the latest edition of its Internet Security Threat Report last week.

Another security solutions company, Kaspersky, also highlighted IT services as one of the top four sectors in the cross-hairs of hackers.

"It is no longer a question of hackers showing off. Now the goal is to steal information and profit from it," said Dinesh Pillai, CEO at Mahindra Special Services Group, which specialises in corporate security risk consulting. According to Symantec, globally, data breach in the IT sector has nearly doubled from 2.7% of all breaches in 2011 to 5% in 2012. "Today we are seeing large call centres coming to us and saying 'can you break into computers, manipulate employees, whatever, but we need to know where the flaws are. Because it's only a matter of time before someone gets penalied'," Pillai said.

India's $76-billion (Rs 4.2 lakh crore) software export sector is also taking steps to protect itself ahead of a comprehensive data security law that Europe is enacting, which could cost them as much as 2% of sales for any data breach.

Technology services companies were reluctant to discuss what challenges they faced or whether there had been an increase in security incidents. Wipro, the country's third-largest software exporter, said it was arming itself with predictive analytics technology to be able to respond to internal and external threats in real time. Infosys said it had "a robust information security framework" that was periodically reviewed and audited internally and jointly with the clients, but said it "cannot share these details externally".

TCS, Cognizant and HCL Technologies did not reply to emails seeking their views.

Kamlesh Bajaj, chief executive at Data Security Council of India, an industry initiative to ensure that robust security practices are adopted by companies in the sector, said IT companies typically adopted standards acceptable in their clients' countries.

"When we analyse security measures, we find that companies like Genpact, TCS and Infosys have stronger security measures in place than the captives of foreign companies," Bajaj said. "Indian BPOs don't even let their employees access Gmail because that might hurt the security of the system."

Senior industry executives said it was not just about IT services companies, but a case of cyber crime increasing in general. "Breaches may happen, but they are tiny in number compared with the number of attacks," said Som Mittal, president of Nasscom, which represents India's $108-billion ( .`5.9 lakh crore) IT indus-try. "The recent incident should be seen as a one-off case, even as the country and the industry continue to strengthen capabilities to thwart cyber attacks and cyber crimes that are rising globally," he said, referring to the ATM heist.

Among financial services clients of the Indian IT sector, American Express declined comment while JPMorgan, Ameriprise and Citigroup did not reply to emailed questionnaires.

Unlike in more developed economies, mandatory disclosures of breaches are not enforced in India, denying others in the industry the ability to be on guard in case of an attack. The US, which saw a string of high-profile data breaches at their payment processors and Internet companies, requires companies to report breaches to regulators.

"An unreported breach leaves people ignorant to the fact that their personal information has been compromised," said Gaurav Mahendru of Symantec India. "Mandatory disclosure would encourage the strengthening of security postures."

The European Union has been unwilling to give India 'data secure' status because of the lack of enforcement, accountability and penalty guidelines in the country's existing information technology rules.

"The most important thing that the government can do is to make disclosure compulsory. So that companies in a sector can realise if this sector is being targeted and can learn from each other," said Sanjay Katkar, chief technology officer at anti-virus software maker QuickHeal.